b"FY 2005 OFFICE OF INSPECTOR GENERAL\nFISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n  TECHNOLOGY SECURITY PROGRAM\n  REPORT NUMBER A050174/O/T/F05024\n\n\n          September 21, 2005\n\x0c\x0c                                   FY 2005 OFFICE OF INSPECTOR GENERAL\n                                   FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                     TECHNOLOGY SECURITY PROGRAM\n                                     REPORT NUMBER A050174/O/T/F05024\n\n                                                     TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY ............................................................................................................. i\n\nINTRODUCTION .......................................................................................................................... 1\n   Objectives, Scope, and Methodology ......................................................................................... 1\n\nRESULTS OF AUDIT.................................................................................................................... 3\n   GSA\xe2\x80\x99s Certification and Accreditation Process Was Not Consistently Utilized........................ 4\n   Contingency Plans Were Not Developed and Tested For Three Systems.................................. 5\n   System Owners Were Not Comprehensively Identifying and Managing Technical Security\n   Weaknesses ................................................................................................................................. 6\n   Comprehensive Oversight and Evaluation of Contractors Remains an Issue............................. 7\n   RECOMMENDATIONS............................................................................................................ 9\n\nMANAGEMENT COMMENTS.................................................................................................... 9\n\nINTERNAL CONTROLS .............................................................................................................. 9\n\n                                                            APPENDICES\nGSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO THE OFFICE OF\nMANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS..................................................... A-1\nTEN SYSTEMS REVIEWED BY THE OFFICE OF INSPECTOR GENERAL IN 2005 ....... B-1\nRESULTS OF TECHNICAL VULNERABILITY SCANNING FOR TEN SYSTEMS .......... C-1\nSTATUS OF CONTRACTOR BACKGROUND CHECKS FOR TEN SYSTEMS................. D-1\nGSA CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT...........................................................E-1\nREPORT DISTRIBUTION .........................................................................................................F-1\n\x0c                       FY 2005 OFFICE OF INSPECTOR GENERAL\n                       FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                         TECHNOLOGY SECURITY PROGRAM\n                         REPORT NUMBER A050174/O/T/F05024\n\n                                 EXECUTIVE SUMMARY\n\nPurpose\n\nThis audit report presents the results of the Inspector General\xe2\x80\x99s Fiscal Year (FY) 2005\nindependent evaluation of the General Services Administration\xe2\x80\x99s (GSA) Information Technology\n(IT) Security Program and controls for select systems as required by the Federal Information\nSecurity Management Act of 2002 (FISMA). The objective of the audit was to assess the\neffectiveness of GSA\xe2\x80\x99s IT Security Program and practices for select systems, and respond to\nspecific questions posed in the Office of Management and Budget\xe2\x80\x99s (OMB) FY 2005 reporting\nguidance for FISMA. This audit report is provided for inclusion as an appendix in GSA\xe2\x80\x99s FY\n2005 FISMA report and FY 2007 budget submission to the OMB.\n\nBackground\n\nFISMA provides a comprehensive framework for (1) ensuring the effectiveness of information\nsecurity controls over information resources that support Federal operations and assets; (2)\ndevelopment and maintenance of minimum controls required to protect Federal information and\ninformation systems; and (3) improved oversight of agency information security programs.\n\nResults-in-Brief\n\nWhile steps have been taken to improve GSA\xe2\x80\x99s IT Security Program, our review found\nmanagement, operational, and technical control weaknesses that require management attention.\nSystem owners had not consistently implemented GSA\xe2\x80\x99s IT Security Program, thus exposing\nagency systems to undue risk. System certification and accreditation packages were not always\ncomplete and testing of contingency plans continues to be an area of risk. Patch management\nprocesses were not in place to ensure the timely mitigation of known vulnerabilities for\ncontractor maintained devices that had not been securely configured. Oversight and evaluation\nof security controls for subcontractors and third party system interconnections was not\nconsistently performed by system owners for contractor provided solutions. Finally, background\nchecks were not performed for contractors before they were granted access to GSA systems, a\ncondition reported in 2003 and 2004. Overall, system owners continue to demonstrate that more\nconsistent implementation of GSA\xe2\x80\x99s IT Security Program and increased system monitoring is\nneeded. Responses to specific OMB FISMA questions are included in Appendix A.\n\n\n\n\n                                              i\n\x0cRecommendations\n\nTo improve security over GSA\xe2\x80\x99s data and information technology assets, we recommend that the\nGSA-CIO take actions to:\n\n1)     Increase oversight of GSA\xe2\x80\x99s Information Technology Security Policy and procedure\n       implementation related to certification and accreditation to ensure that:\n       a) Security for third party interconnections is assessed and evaluated as part of system\n           certification and accreditation.\n       b) Certification and accreditation documentation, including risk assessments, security\n           plans, security plan testing and evaluations, and plans of action and milestones are\n           current and complete.\n\n2)     Develop and implement procedures to ensure completion and maintenance of system\n       contingency plans as part of the Certification and accreditation process, and clarify roles,\n       responsibilities, and requirements for comprehensive system contingency plan testing.\n\n3)     Develop an enterprise-wide approach to patch management and vulnerability scanning to\n       include identification of tools and processes to clarify roles and responsibilities for\n       system owners in managing risks for their systems, including devices maintained by\n       vendors.\n\n4)     Expand the quarterly technical vulnerability scanning program provided by the Office of\n       the Senior Agency Information Security Officer to include oversight and evaluation of\n       system owners\xe2\x80\x99 application of hardening guides for routers, switches, and devices\n       maintained by vendors.\n\n5)     Identify and promote the adoption of compensating controls across GSA to minimize\n       risks where persons were granted access to systems or data prior to the completion of\n       required background checks.\n\nManagement Comments\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report.\n\n\n\n\n                                                ii\n\x0c                                            INTRODUCTION\n\nThe Federal Information Security Management Act of 2002 (FISMA) provides a framework for\nsecuring Federal information systems including: (1) ensuring the effectiveness of information\nsecurity controls over information resources; (2) development and maintenance of minimum\ncontrols required to protect Federal information and information systems; and (3) a mechanism\nfor improved oversight of agency information security programs. This audit report presents the\nresults of the Inspector General\xe2\x80\x99s Fiscal Year (FY) 2005 independent evaluation of the General\nServices Administration\xe2\x80\x99s (GSA) agencywide Information Technology (IT) Security Program\nand controls for select systems as required by FISMA.\n\nObjectives, Scope, and Methodology\n\nThe objective of this audit was to assess the effectiveness of GSA\xe2\x80\x99s IT Security Program and\npractices for select systems in meeting FISMA requirements. Our response to specific questions\noutlined in the Office of Management and Budget (OMB) FY 2005 reporting guidance for\nFISMA is included in Appendix A. This audit report is provided for inclusion as an appendix in\nGSA\xe2\x80\x99s FY 2005 FISMA report and FY 2007 budget submission to the OMB.\n\nWe met with agency IT security officials in the GSA Office of the Chief Information Officer and\nServices, Staff Offices, and Regions (S/SOs/R), including the GSA Chief Information Officer\n(GSA-CIO), Senior Agency Information Security Officer, and Information System Security\nManagers and Officers (ISSMs and ISSOs) for select systems. An assessment of security\ncontrols for 10 systems across GSA\xe2\x80\x99s S/SOs/R was also conducted. Appendix B lists the 10\nsystems reviewed as part of this audit. We reviewed GSA\xe2\x80\x99s agencywide IT Security Policy1 and\nprocedures, standards, and guidelines for implementing GSA\xe2\x80\x99s IT Security Program. To obtain\ninformation on commonly accepted IT security principles and practices, we used the National\nInstitute of Standards and Technology (NIST) Federal Information Processing Standards\nPublications and Special Publication 800 series security guidelines. We also reviewed GSA\xe2\x80\x99s\nannual financial statement audit report for FY 2004, including management letters and\npenetration test results.\n\nTo assess the effectiveness of GSA\xe2\x80\x99s IT Security Program, we reviewed security controls for\nseven major applications and three general support systems. We examined risk assessments,\nsecurity plans, system testing and evaluation results, certification and accreditation letters,\ncontingency plans, and system-level Plans of Action and Milestones (POA&M) for each system.\nWe also performed vulnerability scanning on the 10 systems using the StillSecure Vulnerability\nAssessment and Management tool.\n\nIn addition to FISMA, we used other applicable regulations and policies including: OMB\nCircular A-130 Revised, Appendix III, Security of Federal Automated Information Resources,\nNovember 2000; GSA Order CIO P 2100.1B - GSA Information Technology Security Policy,\nNovember 4, 2004; GSA\xe2\x80\x99s procedural guides on conducting risk assessments, certification and\naccreditation, incident handling, and related technical hardening guides and standards, available\non the GSA-CIO\xe2\x80\x99s IT Security Intranet site; NIST Federal Information Processing Standards\nPublications, and 800 series special publications; and Homeland Security Presidential Directive\n\n1\n    GSA Order CIO P 2100.1B - GSA Information Technology Security Policy, November 4, 2004.\n                                                      1\n\x0c(HSPD) 12 \xe2\x80\x9cPolicy for a Common Identification Standard for Federal Employees and\nContractors,\xe2\x80\x9d August 27, 2004.\n\nAudit work was performed between April 2005 and September 2005 in accordance with\ngenerally accepted government auditing standards.\n\n\n\n\n                                       2\n\x0c                                     RESULTS OF AUDIT\n\nWhile steps have been taken to improve the General Services Administration\xe2\x80\x99s (GSA) Information\nTechnology (IT) Security Program, our review found management, operational, and technical\ncontrol weaknesses that require management attention. GSA\xe2\x80\x99s IT Security Program, including the\nagencywide policy, procedural and technical guides, and security awareness and training, have\nbeen updated to reflect NIST, OMB, and Office of Personnel Management guidance. The GSA-\nChief Information Officer (GSA-CIO) has implemented a process to review system Certification\nand Accreditation (C&A) documentation for consistency with agency policy and NIST guidance\nand has updated its inventory of information systems covered under the IT Security Program to\ninclude all IT investments. The GSA-CIO also employs a vulnerability scanning program to\nverify implementation of the agency\xe2\x80\x99s security configuration policy for approximately 2,000\nservers across all agency systems. However, system owners for 10 select systems we reviewed\nhad not consistently implemented GSA\xe2\x80\x99s IT Security Program, thus exposing agency systems to\nundue risk. System C&A packages did not always include a complete risk assessment, security\nplan, Security Test and Evaluation (ST&E), and Plan of Action and Milestones (POA&M). One\ngeneral support system had not updated C&A documentation to include controls to mitigate risk\nwith Voice over Internet Protocol (VoIP), and scanning identified several critical level\nvulnerabilities within the VoIP infrastructure. Testing of contingency plans continues to be an\narea of risk, as three of ten systems we reviewed did not have tested contingency plans in place.\nFor five of the remaining seven systems, testing was not comprehensive or did not cover critical\ncomponents of the contingency plans. POA&Ms for two major applications and one general\nsupport system did not include specific known system security weaknesses and, as such, it was\nunclear how risk was being managed for these systems. GSA\xe2\x80\x99s IT Security Program was not\nconsistently implemented, as evidenced by risk assessments and security plans that were not\ncomprehensive and by incomplete POA&Ms, both of which were reported as areas needing\nimprovement in 2004. Contractor maintained devices on two general support systems had not\nbeen securely configured, including network enabled printers and VoIP servers, which had several\ncritical and major vulnerabilities. Patch management processes were not in place to ensure the\ntimely mitigation of known vulnerabilities for contractor maintained devices. Oversight and\nevaluation of security controls for subcontractors and third party system interconnections was not\nconsistently performed by system owners for three contractor provided solutions. Finally,\nbackground checks were not performed for contractors before granting them access to GSA\nsystems, a condition reported in 2003 and 2004. Overall, system owners continue to demonstrate\nthat more consistent implementation of GSA\xe2\x80\x99s IT Security Program and increased system\nmonitoring is needed. Appendix A contains our response to specific FISMA questions, as\nrequested by OMB, which was included with our assessment of the effectiveness of GSA\xe2\x80\x99s IT\nsecurity program and practices for a subset of systems.\n\n\n\n\n                                                3\n\x0cGSA\xe2\x80\x99s Certification and Accreditation Process Was Not Consistently Utilized\n\nThe GSA-CIO has developed an IT systems security C&A process, however, the process was not\nconsistently implemented across the systems reviewed. C&As were not updated to reassess risks\nafter major changes for two of ten systems. Risk assessments, security plans, or ST&E results\nwere incomplete and, in one instance, outdated for the systems we reviewed. POA&Ms were not\nconsistently used to manage IT security weaknesses. These conditions confirm that GSA\xe2\x80\x99s IT\nSecurity Program controls over the C&A process should be strengthened to effectively manage\nrisks.\n\nA general support system in our sample deployed Voice over Internet Protocol (VoIP) without\nupdating its risk assessment and security plan. As a result, technical security weaknesses with\nthe VoIP implementation went undetected. Another general support system moved to a new\noperating system and combined two networks, but did not address these changes in a subsequent\nupdate to the security plan. The impact on security of the system\xe2\x80\x99s change in hardware and\nsoftware was unclear without a reassessment of security controls. GSA\xe2\x80\x99s IT Security Policy\nrequires all GSA major applications and general support systems to be certified and accredited at\nleast every three years or whenever there is a significant change to the system\xe2\x80\x99s security posture.\nInformation System Security Officers (ISSOs) are responsible for monitoring system security\nand maintaining security documentation. Post accreditation activities are necessary to maintain\nthe system accreditation status throughout the system life cycle.2 The current quality control\nprocess for C&As has not always been effective in identifying major changes with GSA systems\nthat require a reassessment of risks and controls.\n\nTwo major applications and a general support system did not include a threat-likelihood level\nmatrix in their system risk assessment. For one system, which is part of a major application, the\nC&A did not address specific risk areas and security controls. Another major application\xe2\x80\x99s\nST&E was over three years old and the ST&Es for one major application and one general\nsupport system did not contain plans for correcting or addressing weaknesses.\n\nThe GSA-CIO has implemented an agencywide process to track program and system-level\nPOA&M activities on a quarterly basis. However, program officials did not consistently use a\nPOA&M to manage IT security weaknesses. Specifically, two major applications and one\ngeneral support system supporting GSA did not include security weaknesses identified through\nthe C&A process in their POA&M. One general support system was recording weaknesses from\nthe ST&E in another document, but this document was not noted as being used on the POA&M.\nFor another major application, identified weaknesses were not mitigated within specified\ntimeframes as required in the system accreditation letters. A recent Statement on Auditing\nStandards 70 (SAS 70) review noted that these weaknesses were removed from the system\nPOA&M, but were not yet resolved. Similar findings with the POA&M process were reported in\n2003 and 2004.\n\nOffice of Management and Budget (OMB) guidance on FISMA directs agency CIOs and\nprogram officials to develop, implement, and manage POA&Ms for all programs and systems\n\n2\n NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information\nSystems,\xe2\x80\x9d May 2004.\n                                                        4\n\x0cthat they operate and control. When using a risk-based approach, security weaknesses with the\ngreatest and most immediate potential impact are addressed first. GSA\xe2\x80\x99s IT Security Policy and\nprocedures on POA&Ms are consistent with OMB guidance. POA&Ms should include all\nsecurity weaknesses found during any other review done by, for, or on behalf of the agency,\nincluding Government Accountability Office audits, financial system audits, and critical\ninfrastructure vulnerability assessments. System-level POA&Ms were not always used to\neffectively manage risks because specific security weaknesses were not identified and tracked.\n\nThe GSA-CIO continues to rely on the Information System Security Managers (ISSMs) and\nISSOs across the agency to implement the GSA IT Security Policy. Even though the GSA-CIO\npublished the POA&M Implementation Guide in May 2005 to clarify requirements, weaknesses\nidentified through the C&A process were not consistently being recorded on POA&Ms in a\ntimely manner for seven of the ten systems we reviewed. Inconsistent use of the POA&M\nprocess resulted in security weaknesses not being promptly tracked and mitigated.\n\nContingency Plans Were Not Developed and Tested For Three Systems\n\nThree of ten systems reviewed that were certified and accredited had not developed an IT\ncontingency plan but two had addressed some limited elements of contingency planning in\nContinuity of Operations Plans (COOP). One contingency plan for a major application did not\naddress all system components and data center sites. While IT contingency plans had been\ndeveloped for the seven other systems we reviewed, the plans for those systems were missing\nkey elements of contingency planning as outlined by the National Institute of Standards and\nTechnology (NIST) Special Publication (SP) 800-34.3 Three of ten systems included in our\nreview had not tested their contingency plans, while the other seven systems had performed\nlimited testing of their contingency plans. The GSA-CIO requires that NIST SP 800-34 be used\nwhen performing tasks related to contingency planning. GSA\xe2\x80\x99s C&A process, consistent with\nNIST SP 800-37, does not require the formal development of IT contingency plans as part of\nC&A, even though contingency plans are essential to system availability and security.\n\nGSA\xe2\x80\x99s IT Security Policy requires the development of a contingency plan for each system in\naccordance with OMB Circular A-130, Appendix III. Two general support systems that provide\nIT communications and data processing infrastructure for GSA associates in two Regions did not\nhave a documented IT contingency plan developed, but had noted this weakness in their\nPOA&Ms. Security officials for these two general support systems provided a COOP in lieu of\nan IT Contingency Plan. However, the COOPs did not address recovery procedures for IT\noperations, and as such, it is unclear how these two general support systems will be able to\nrecover and restore IT operations in the event of a contingency.\n\nWhile IT contingency plans had been developed for seven of ten systems reviewed, most of these\nplans were missing key elements of contingency planning as recommended by NIST. Five of\nseven contingency plans did not include a business impact analysis to identify and prioritize\ncritical system components and identify disruption impacts and appropriate system downtimes.\nWithout a business impact analysis, it is unclear how contingency planning requirements and\nrecovery processes would be prioritized. One contingency plan for a major application did not\n\n3\n    NIST Special Publication 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology Systems,\xe2\x80\x9d June 2002.\n\n                                                        5\n\x0caddress all system components and data center sites. Another major application did not include\ndetailed procedures for system recovery. These conditions could negatively impact the ability to\nrecover from a contingency situation.\n\nContingency plan testing is a critical component of the contingency planning process that\nenables plan deficiencies to be identified and addressed, and helps to evaluate the ability of\nrecovery personnel to implement the plan efficiently. NIST recommends that contingency plan\ntesting include all elements of the contingency plan and address six areas: (1) system recovery on\nan alternate platform, (2) coordination amongst recovery teams, (3) internal and external\nconnectivity, (4) system performance using alternate equipment, (5) restoration of normal\noperations, and (6) notification procedures. Seven of ten systems had tested their contingency\nplans, however, testing was not comprehensive in accordance with NIST guidance.\n\nSystem Owners Were Not Comprehensively Identifying and Managing Technical Security\nWeaknesses\n\nWhile the Office of the GSA-CIO has employed a technical vulnerability scanning program to\nverify implementation of required security configurations for approximately 2,000 servers across\nthe agency, we found that system owners were not routinely identifying and managing technical\nsecurity weaknesses for their systems. We found technical security vulnerabilities on servers and\nother network devices that were not included in the scanning performed by the Office of the\nGSA-CIO. Our scanning identified contractor maintained devices on GSA\xe2\x80\x99s network that had\nnot been hardened according to GSA\xe2\x80\x99s IT Security Policy. These devices had several critical\nvulnerabilities that exposed GSA\xe2\x80\x99s network to unnecessary risks. Further, there was no patch\nmanagement process in place for two general support systems to ensure that security\nvulnerabilities were mitigated in a timely manner. Summary results of technical vulnerability\nscanning for systems are included in Appendix C.\n\nGSA\xe2\x80\x99s IT Security Policy requires ISSOs to evaluate known vulnerabilities, to ensure their\nsystems are patched, and to harden their systems according to GSA-CIO procedural guides. For\ntwo general support systems we reviewed, ISSOs were relying on the quarterly vulnerability\nscanning of servers performed by the Office of the GSA-CIO to identify known vulnerabilities\nand were not ensuring that their systems were patched and security hardened as required by\nGSA\xe2\x80\x99s IT Security Policy. One Regional office employed VoIP, which included a voicemail\nserver with several critical vulnerabilities that, if exploited, could impact the confidentiality,\nintegrity, and availability of the VoIP system. While system owners advised us that they were in\nthe process of implementing patch/configuration management tools for the Regions, a patch\nmanagement process to securely configure and harden all system devices to address security\nvulnerabilities in a timely manner was not in place for these general support systems. As a\nresult, GSA\xe2\x80\x99s IT environment was exposed to unnecessary risks.\n\nVulnerability scans conducted on three contractor provided eGovernment systems behind\ncontractors\xe2\x80\x99 firewalls revealed that one contractor was running an HP-UX server that had not\nbeen hardened as required. Our scanning found several critical level vulnerabilities on this\nserver that, if exploited, could affect the confidentiality, integrity, and availability of this\neGovernment system. The GSA-CIO was not aware that any agency systems were running HP-\nUX and the ISSO had not ensured that the HP-UX server was hardened and patched in\naccordance with industry best practices as required by the GSA IT Security Policy. As a result,\n                                               6\n\x0ctwo actions are needed for system owners to identify and manage technical security weaknesses.\nAn enterprise-wide approach to patch management, as well as technical vulnerability scanning\nby system owners is needed. More comprehensive monitoring by the GSA-CIO of system\ndevices other than servers would assess the effectiveness of hardening guides and measure the\nextent of their implementation. These actions would improve security over GSA\xe2\x80\x99s data and\ninformation technology assets.\n\nComprehensive Oversight and Evaluation of Contractors Remains an Issue\n\nWhile the GSA-CIO has taken steps to ensure the security of contractor provided solutions and\nservices, we found that the ISSO for three contractor provided eGovernment systems that\nprocess, store, and transmit Privacy Act information had not ensured that GSA security policies\nand procedures were being followed by subcontractors and third party system interconnections\nprocessing sensitive government data. System owners and ISSOs had not ensured that required\nbackground checks had been performed for all contractors supporting the systems reviewed.\nFurthermore, for background checks that had been completed, there were a number of different\ntypes of checks that were performed, which were not always consistent with requirements stated\nin GSA\xe2\x80\x99s IT Security Policy. As such, GSA systems and sensitive Privacy Act data are at an\nincreased risk of being compromised. Appendix D lists the status of background checks for\ncontractors supporting the 10 systems we reviewed by type of check performed.\n\nThe GSA-CIO has implemented several controls to provide oversight and evaluation of\ncontractor provided and supported systems. The Office of the GSA-CIO performs quarterly\nscanning of contractor supported systems and reviews contractors\xe2\x80\x99 internal system scanning\nresults. NIST SP 800-26 self-assessments were also performed for all GSA systems including\ncontractor provided/supported systems. However, for three contractor provided eGovernment\nsolutions, the ISSO had not provided comprehensive oversight and evaluation of third party\nvendors that were receiving and processing Privacy Act Data for government employees since\nsystem interconnections had not been authorized as part of the C&A. While the risk assessment\nfor one eGovernment solution identified lack of verification of security for third parties as a risk\narea, the system owner decided not to verify the security of third parties supporting the\neGovernment solution system interconnections. As such, the risk of compromising Privacy Act\ndata by the solution providers supporting the vendors was increased. OMB Circular A-130\nAppendix III requires agencies to obtain written management authorization before connecting\ntheir IT systems to other systems. NIST guidance recommends that a written authorization be\ndocumented in the form of a Memorandum of Agreement or Interconnection Security\nAgreement. This written authorization should define the rules of behavior and controls that must\nbe maintained for the system interconnection.\n\nIn addition, timely completion of background checks for contractor personnel with access to\nGSA systems and data remains a risk. The GSA-CIO recognized the need for background\nchecks by reporting this security weakness on the agencywide POA&M, and subsequently\nindicated completion of that item in November 2004. Similar to findings in our 2003 and 2004\nFISMA reviews, independent assessments of 10 systems in 2005 found that background checks\nwere not completed for approximately half of the identified contractors allowed access to these\nsystems or data, and the type of background check completed varied widely, as shown in\nAppendix D. ISSOs were unable to provide the status of background checks for contractors\nsupporting one system.\n                                              7\n\x0cSubsequent to a recommendation in our 2004 FISMA report, the GSA-CIO revised the\nbackground check requirement from a National Agency Check with Inquiries Credit (NACIC) to\na Special Agreement Check (SAC) as follows: \xe2\x80\x9cContractors who design, operate, test, maintain,\nand/or monitor GSA systems must have at least a background investigation consisting of a\nSpecial Agreement Check (SAC) consisting of the following checks: FBI Fingerprint,\nSecurity/Suitability Investigations Index (SII), Defense Clearance and Investigations Index\n(DCII), Immigration and Naturalization Service Master Index (INSMI), and credit.\xe2\x80\x9d 1 With the\nrevised policy, system security officials were reminded of their responsibilities to obtain the\nbackground checks.\n\nDiscussions with the Senior Agency Information Security Officer confirmed that GSA will be\nrequired to address background checks in FY 2006 with implementation of Homeland Security\nPresidential Directive-12 (HSPD-12) on common identification standards for Federal employees\nand contractors. Under HSPD-12 all Executive Departments and Agencies and independent\nestablishments must issue credentials based on a \xe2\x80\x9cNational Agency Check with Written Inquiries\n(NACI).\xe2\x80\x9d However, until HSPD-12 is implemented, system owners should be reminded that the\nlack of completed background checks remains a risk, and that compensating controls should be\nimplemented in all cases where personnel without background checks have already been given\naccess to GSA systems or data.\n\n\n\n\n                                              8\n\x0c                                   RECOMMENDATIONS\n\nTo improve security over GSA\xe2\x80\x99s data and information technology assets, we recommend that the\nGSA-CIO take actions to:\n\n1)     Increase oversight of GSA\xe2\x80\x99s Information Technology Security Policy and procedure\n       implementation related to certification and accreditation to ensure that:\n       a) Security for third party interconnections is assessed and evaluated as part of system\n           certification and accreditation.\n       b) Certification and accreditation documentation, including risk assessments, security\n           plans, security plan testing and evaluations, and plans of action and milestones are\n           current and complete.\n\n2)     Develop and implement procedures to ensure completion and maintenance of system\n       contingency plans as part of the certification and accreditation process, and clarify roles,\n       responsibilities, and requirements for comprehensive system contingency plan testing.\n\n3)     Develop an enterprise-wide approach to patch management and vulnerability scanning to\n       include identification of tools and processes to clarify roles and responsibilities for\n       system owners in managing risks for their systems, including devices maintained by\n       vendors.\n\n4)     Expand the quarterly technical vulnerability scanning program provided by the Office of\n       the Senior Agency Information Security Officer to include oversight and evaluation of\n       system owners\xe2\x80\x99 application of hardening guides for routers, switches, and devices\n       maintained by vendors.\n\n5)     Identify and promote the adoption of compensating controls across GSA to minimize\n       risks where persons were granted access to systems or data prior to the completion of\n       required background checks.\n\n                               MANAGEMENT COMMENTS\n\nThe GSA-CIO concurred with the findings and recommendations outlined in this report. A copy\nof the GSA-CIO\xe2\x80\x99s comments are included in their entirety as Appendix E.\n\n                                  INTERNAL CONTROLS\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, the objective of\nour review was to assess the effectiveness of GSA's IT Security Program and practices for select\nsystems in meeting FISMA requirements. While this audit included a review of management,\noperational, and technical controls for 10 GSA systems, we did not test all system controls across\nthe agency. The Results of Audit and Recommendations sections of this report state in detail the\nneed to strengthen specific managerial, operational, and technical controls with the IT Security\nProgram.\n\n\n\n                                                9\n\x0c          FY 2005 OFFICE OF INSPECTOR GENERAL\n          FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n            TECHNOLOGY SECURITY PROGRAM\n            REPORT NUMBER A050174/O/T/F05024\n\n     GSA, OFFICE OF INSPECTOR GENERAL RESPONSES TO\nTHE OFFICE OF MANAGEMENT AND BUDGET\xe2\x80\x99S FISMA QUESTIONS\n\n\n\n\n                          A-1\n\x0cA-2\n\x0cA-3\n\x0cA-4\n\x0cA-5\n\x0cA-6\n\x0c                                 FY 2005 OFFICE OF INSPECTOR GENERAL\n                                 FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                   TECHNOLOGY SECURITY PROGRAM\n                                   REPORT NUMBER A050174/O/T/F05024\n\n     TEN SYSTEMS REVIEWED BY THE OFFICE OF INSPECTOR GENERAL IN 2005\n\n        System                   Owner                                             Description\n                                                  The Sales Automation System (SASy) is the FSS automated system to conduct\n                             Federal Supply       sales of surplus government property in an efficient, expeditious manner and\n        SASy\n                                Service           obtain maximum net returns with a minimum of inconvenience to holding\n  (Major Application)\n                                 (FSS)            agencies. SASy is a contractor supported Privacy Act system categorized as\n                                                  low risk.\n                                                  eOffer is an Internet accessible application designed to offer the vendor\n           eOffer            Federal Supply\n                                                  community an electronic means for submitting contract offers to the GSA FSS\n(Part of the FSS-19 Major       Service\n                                                  and is part of FSS-19. eOffer is a contractor supported system categorized as\n       Application)              (FSS)\n                                                  moderate risk.\n                                                  Electronic Data Systems (EDS) eTravel provides one of three eGovernment\n                                                  travel solutions whose purpose is to realize operational efficiencies, cost-\n                             Federal Supply\n     eTravel EDS                                  savings, and increased service to the Federal traveler through a common,\n                                Service\n  (Major Application)                             automated, and integrated approach to managing Federal Government travel\n                                 (FSS)\n                                                  functions. eTravel EDS is a contractor provided hardware and software\n                                                  solution containing Privacy Act data categorized as moderate risk.\n                                                  Carlson Wagonlit (CWGT) eTravel provides one of three eGovernment travel\n                                                  solutions whose purpose is to realize operational efficiencies, cost-savings, and\n                             Federal Supply\n    eTravel CWGT                                  increased service to the Federal traveler through a common, automated, and\n                                Service\n  (Major Application)                             integrated approach to managing Federal Government travel functions.\n                                 (FSS)\n                                                  eTravel CWGT is a contractor provided hardware and software solution\n                                                  containing Privacy Act data categorized as moderate risk.\n                                                  Northrup Grumman Mission Systems (NGMS) eTravel provides one of three\n                                                  eGovernment travel solutions whose purpose is to realize operational\n                             Federal Supply       efficiencies, cost-savings, and increased service to the Federal traveler through\n    eTravel NGMS\n                                Service           a common, automated, and integrated approach to managing Federal\n  (Major Application)\n                                 (FSS)            Government travel functions. eTravel NGMS is a contractor provided\n                                                  hardware and software solution containing Privacy Act data categorized as\n                                                  moderate risk.\n                                                  Security risks for GSA\xe2\x80\x99s Wide Area Backbone Network (WABN) are\n                            Office of the Chief\n         WABN                                     managed as part of the CIO\xe2\x80\x99s Enterprise Infrastructure Operations system.\n                               Information\n(General Support System)                          WABN serves as the primary infrastructure for interconnecting GSA\xe2\x80\x99s\n                              Officer (CIO)\n                                                  geographic locations and network users.\n                                                  The Payroll Accounting and Reporting System (PAR) provides complete\n                            Office of the Chief\n         PAR                                      payroll functionality for GSA employees and maintains retirement records for\n                            Financial Officer\n  (Major Application)                             submission to the Office of Personnel Management. PAR is a contractor\n                                  (CFO)\n                                                  supported system categorized as moderate risk.\n                                                  The National Electronic Accounting and Reporting (NEAR) system is\n                            Office of the Chief   designed to control, record, classify, and summarize financial events to meet\n        NEAR\n                            Financial Officer     requirements of the Federal accounting for annual, multiple year, or no year\n  (Major Application)\n                                  (CFO)           appropriations and revolving funds. NEAR is a contractor supported system\n                                                  categorized as moderate risk.\n                                                  The Region 3 Public Buildings Service (PBS) Local Area Network (LAN)\n        Region 3               Mid Atlantic\n                                                  provides the Information Technology (IT) communications and data\n       PBS LAN                   Region\n                                                  processing infrastructure for GSA employees and contractors. This system is\n(General Support System)          (R-3)\n                                                  categorized as moderate risk.\n        Region 9               Pacific Rim        The Region 9 Public Buildings Service/Federal Technology Service (FTS)\n     PBS/FTS LAN                 Region           LAN provides the IT communications and data processing infrastructure for\n(General Support System)          (R-9)           GSA employees and contractors. This system is categorized as moderate risk.\n\n\n\n\n                                                             B-1\n\x0c                        FY 2005 OFFICE OF INSPECTOR GENERAL\n                        FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                          TECHNOLOGY SECURITY PROGRAM\n                          REPORT NUMBER A050174/O/T/F05024\n\n   RESULTS OF TECHNICAL VULNERABILITY SCANNING FOR TEN SYSTEMS\n\nResults of technical scanning for known vulnerabilities are presented below. Categorizations of\ncritical, major, and minor vulnerabilities are assigned by our automated scanning tool. All scans\nwere non-intrusive and conducted behind system firewalls with the assistance of system\nadministrators and Information System Security Officers. False positives and vulnerabilities\npreviously identified by systems owners as an acceptable risk have been excluded.\n\n                               Devices          Critical          Major             Minor\n         System                Scanned       Vulnerabilities   Vulnerabilities   Vulnerabilities\n\n          SASy                    6                 0                 1                 3\n\n\n          eOffer                  7                 0                 0                 1\n\n\n       eTravel EDS                40                1                 1                 4\n\n\n     eTravel CWGT                 8                 1                 2                 0\n\n\n     eTravel NGMS                 5                 13                4                 14\n\n\n         WABN                     20                10                10                10\n\n\n           PAR                    21                0                 4                 3\n\n\n          NEAR                    1                 0                 1                 0\n\n\n        Region 3              78 (LAN)              66                25                14\n        PBS LAN               8 (VoIP)              35                7                 6\n\n\n        Region 9\n                                 143                14                8                 2\n      FTS/PBS LAN\n\n\n\n\n                                              C-1\n\x0c                                FY 2005 OFFICE OF INSPECTOR GENERAL\n                                FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                  TECHNOLOGY SECURITY PROGRAM\n                                  REPORT NUMBER A050174/O/T/F05024\n\n       STATUS OF CONTRACTOR BACKGROUND CHECKS FOR TEN SYSTEMS\n\nIndependent assessments of 10 systems found that background checks were not completed for\napproximately half of the identified contractors allowed access to these systems or data.\nBackground checks are the responsibilities of the System Owner, Information Systems Security\nManager and Information System Security Officer.\n\n                             Number                                                                           Percent With a\n                                of             Background                     Completed                         Completed\n        System              Contractor         Checks Not                    Background                        Background\n                            Personnel          Completed                    Checks By Type4                       Check\n         SASy\n                                  5                   2           3 NACIC                                           60%\n               5\n        eOffer\n                                                                                                                     0%\n     eTravel EDS\n                                143                  82           61 Background Investigations6                     43%\n                                                                  78 Consisting of all or parts of the\n                                                                  following: County Criminal Search,\n                                                                  Statewide Criminal Search, Federal\n                                                                  District Court Criminal Search,\n    eTravel CWGT\n                                 78                   0           Government Watch List, Qualisys                  100%\n                                                                  Drug Screen, 5 Panel Drug Test,\n                                                                  Academic Check, Social Security\n                                                                  Number Trace, Professional license,\n                                                                  and/or Lexis-Nexis checks\n    eTravel NGMS\n                                 65                  50           15 DOD Secret Clearance                           23%\n        WABN\n                                 14                   4           10 NACIC                                          71%\n        PAR\n                                 30                  21           9 NACIC                                           30%\n     and NEAR7\n      Region 3                                                    9 NCIC\n      PBS LAN                    17                   1           6 FBI Fingerprint                                 94%\n                                                                  1 Contract Suitability\n      Region 9\n                                 13                   4           9 DHS Limited Check                               69%\n    PBS/FTS LAN\n\n\n\n\n4\n  Documentation supporting the type of background checks conducted varied widely by system. NACIC is a National\nAgency Check with Inquiries Credit. DOD Secret Clearance is a security clearance for classified documents. NCIC is a\nNational Crime Information Center check. FBI fingerprint is a basic criminal check. Contract Suitability check did not\ndefine the nature of the background checks. The Department of Homeland Security reported completing an unspecified\nlimited check for one location.\n5\n  Officials with significant security responsibilities for eOffer did not provide a list of contractor personnel and the status of\ntheir background checks.\n6\n  For the eTravel EDS system, no further information was provided as to the type of background investigations that were\ncompleted for contract staff.\n7\n  Both PAR and NEAR systems are hosted at the same contractor facility and supported by the same staff. Contractor\nbackground check numbers posted represent both systems.\n                                                              D-1\n\x0c   FY 2005 OFFICE OF INSPECTOR GENERAL\n   FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n     TECHNOLOGY SECURITY PROGRAM\n     REPORT NUMBER A050174/O/T/F05024\n\nGSA CIO\xe2\x80\x99S RESPONSE TO DRAFT AUDIT REPORT\n\n\n\n\n                   E-1\n\x0c                                  FY 2005 OFFICE OF INSPECTOR GENERAL\n                                  FISMA REVIEW OF GSA\xe2\x80\x99S INFORMATION\n                                    TECHNOLOGY SECURITY PROGRAM\n                                    REPORT NUMBER A050174/O/T/F05024\n\n                                               REPORT DISTRIBUTION\n\n                                                                                                                              Copies\n\nOffice of the Chief Information Officer (I)..................................................................................3\n\nOffice of the FSS Chief Information Officer (FI)........................................................................1\n\nOffice of the Chief Financial Officer (B) ....................................................................................2\n\nOffice of the Chief People Officer (C) ........................................................................................1\n\nMid-Atlantic Region 3 (3A).........................................................................................................1\n\nPacific Rim Region 9 (9A) ..........................................................................................................1\n\nAudit Follow-up and Evaluation Branch (BECA).......................................................................1\n\nAssistant Inspector General for Auditing (JA and JAO) .............................................................2\n\nDeputy Assistant Inspector General for Finance and Administrative Audits (JA-F) ..................1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A) ...........................................1\n\nRegional Inspector General for Auditing (JA-3 and JA-9)..........................................................2\n\nAdministration and Data Systems Staff (JAS).............................................................................1\n\nAssistant Inspector General for Investigations (JI)......................................................................1\n\nRegional Inspector General for Investigations (JI-3 and JI-9)...................................2\n\n\n\n\n                                                                 D-1\n\x0c"